LARTC - Oct 2001 - Policy based routing form SRC Mac address.

Hi,

Thanks to all in advance,

In recent I need policy based routing on my Linux2.4.3 box. requirement is like
to give access of Internet to some computers while this facility is not
available to rest people (That is based on MAC address only).

My existin routing in "table main" is...

192.168.1.0/26 dev eth0  proto kernel  scope link  src 192.168.1.3 
192.168.1.64/26 dev eth1  proto kernel  scope link  src 192.168.1.65 
192.168.2.0/24 via 192.168.1.2 dev eth0 
127.0.0.0/8 dev lo  scope link 
default via 192.168.1.1 dev eth0 

Where 192.168.1.1 is ip of router, there is no restriction required on
192.168.1.0/26, while on 192.168.1.64/26 I need to give access to some computers
only.

I have done some work on it but not get success. I have done like

#iptables -A PREROUTING -t mangle -i eth1 -m mac --mac-source ab:cd:ef:12:34:56
-j MARK --set-mark 1
#ip rule add fwmark 1 table John
#ip route add unreachable default table John

Then after I have tried in INPUT too.. But no success.

If any one have implemented in their network Please guide me. What basic
mistakes I am commiting in this scenario?

Looking forward for kind reply from Network Gurus.

Thanks and regards
Bharat Merja.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If I understood your question correctly, I''d suggest you use iptables
instead
of routing etc. Set up a firewall which prohibits some traffic depending on 
MAC source while it allows others.

Ie, set up the rules which allows traffic with iptables in a way like this:

iptables -A FORWARD -s 192.168.1.0/26 -j ACCEPT
iptables -A FORWARD -s 192.168.1.64/26 -d 10.1.1.1/32 -j ACCEPT # what kind 
of access?

etc, and then set up a policy of DROP on the FORWARD chain.

For more on this, check out the howtos and tutorials etc on 
http://netfilter.samba.org/.

Have a nice day,

On Wednesday 03 October 2001 16:06, bharat merja wrote:
> Hi,
>
> Thanks to all in advance,
>
> In recent I need policy based routing on my Linux2.4.3 box. requirement is
> like to give access of Internet to some computers while this facility is
> not available to rest people (That is based on MAC address only).
>
> My existin routing in "table main" is...
>
> 192.168.1.0/26 dev eth0  proto kernel  scope link  src 192.168.1.3
> 192.168.1.64/26 dev eth1  proto kernel  scope link  src 192.168.1.65
> 192.168.2.0/24 via 192.168.1.2 dev eth0
> 127.0.0.0/8 dev lo  scope link
> default via 192.168.1.1 dev eth0
>
> Where 192.168.1.1 is ip of router, there is no restriction required on
> 192.168.1.0/26, while on 192.168.1.64/26 I need to give access to some
> computers only.
>
> I have done some work on it but not get success. I have done like
>
> #iptables -A PREROUTING -t mangle -i eth1 -m mac --mac-source
> ab:cd:ef:12:34:56 -j MARK --set-mark 1 #ip rule add fwmark 1 table John
> #ip route add unreachable default table John
>
> Then after I have tried in INPUT too.. But no success.
>
> If any one have implemented in their network Please guide me. What basic
> mistakes I am commiting in this scenario?
>
> Looking forward for kind reply from Network Gurus.
>
> Thanks and regards
> Bharat Merja.
- ----------------------------------------
Content-Type: text/html; charset="iso-8859-1"; name="Attachment:
1"
Content-Transfer-Encoding: quoted-printable
Content-Description: 
- ----------------------------------------

- -- 
 ----------------------------------- 
|Oskar Andreasson                   |
|Multisoft Education AB             |
|http://www.libendo.com             |
|phone: +46-8-6635555               |
|mailto: o.andreasson@libendo.com   |
 ----------------------------------- 
BOFH excuse #1:

clock speed
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7uxy/xO3KTTz2r/kRAl5TAKCb4nWnOzQqD0UroaZ9pZm7oReJmgCguQAt
rhVUgy8Csr2G17HaQgjtL5Q=TKAk
-----END PGP SIGNATURE-----